Congress has approved a bill that would require companies of major importance to U.S. national interests to report if they were hacked or paid a ransom after a ransomware attack. This effort is aimed at giving the government better visibility into companies affected by cyberattacks and their frequency. The bill also aims to improve the cybersecurity and resilience of companies with critical infrastructure.
The Strengthening American Cybersecurity Act of 2022 was approved by both the House of Representatives and the Senate this spring. Subsequently, the US President, Joe Biden, signed the Act into law. The new cybersecurity law consists of three regulations:
- the Federal Information Security Modernization Act of 2022,
- the Cyber Incident Reporting for Critical Infrastructure Act of 2022, and
- the Federal Secure Cloud Improvement and Jobs Act of 2022.
According to the law, companies that provide critical infrastructure must report a cyber attack to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Also reportable are any ransomware payments transferred within 24 hours. Apart from information about the incident such as description of the access and impact on operations and which categories of information the hackers were able to capture, the affected companies must also state which measures the company had taken to prevent cyber attacks and which vulnerabilities were exploited by the attackers.
However, not all companies are affected by these reporting obligations, but only the so-called “operators of critical national infrastructure”. According to the Presidential Policy Directive/PPD-21, for example, the following sectors are classified as critical infrastructure:
- Financial Services,
- Food and Agriculture,
- Healthcare, etc.
If companies in the sectors just mentioned do not comply with their new reporting obligation, they can be subpoenaed by CISA under the threat that the US Department of Justice will become involved.
However, not all cyberattacks are covered by the new law. CISA must be notified of cyberattacks of significant magnitude, e.g. if there is an interruption in the operations of the business or if the cyberattack has a serious impact on the security and resilience of operational systems and processes.
The advantage of the reporting obligation is that CISA can intervene in the event of an incident and support the affected company if necessary. The improved knowledge of cyberattacks on critical infrastructure companies also allows for more comprehensive and therefore better analyses of the attacks. Furthermore, trends can be identified. Furthermore, the new knowledge can be quickly passed on to the companies potentially at risk, which can thus prepare themselves for a possible attack. According to Senator Gary Peters, one of the initiators of the new law, improving the cybersecurity and resilience of companies of national interest is also relevant in view of the war between Russia and Ukraine, as possible retaliatory attacks by Russian hackers must be expected due to the support of Ukraine by the USA. The bill was initiated by him and Senator Rob Portman after the ransomware attack on the American Colonial Pipeline in spring 2021. After this attack, the affected pipeline, which supplies the entire American East Coast with oil and is therefore considered critical infrastructure, was shut down for several days.
The U.S. Securities and Exchange Commission (SEC), an authority responsible for financial supervision, also declared shortly before the adoption of the Strengthening American Cybersecurity Act of 2022 that it would examine the disclosure of cyber attacks on listed companies. It can therefore be stated that the awareness of the danger posed by cyber attacks, especially on critical infrastructures of a state, has increased and is increasingly being taken up by authorities and the government. Although the Strengthening American Cybersecurity Act of 2022 only refers to companies that provide critical infrastructures in national interests, it is conceivable that, in view of the danger of cyber attacks, the reporting obligations will be transferred to other companies.
In Switzerland, too, the danger of cyberattacks is increasingly being countered. For example, the National Cyber Security Centre (NCSC) was created. On the one hand, the NCSC monitors developments and warns of current threats regarding cybersecurity, and on the other hand, it also informs and advises private individuals, companies and authorities. It is guided by the National Strategy for the Protection of Switzerland against Cyber Risks (NCS) 2018-2022 and focuses on capacity building as well as skills and knowledge, but also on establishing processes and structures. As in the newly enacted American law, the focus in Switzerland is also on critical infrastructures and their protection against cyber attacks. Finally, minimum standards for cybersecurity are to be developed with the cooperation of the business community. Switzerland is also examining whether legal reporting obligations for cyber attacks should be implemented. In addition, the legislature is dealing with the revision of the Information Security Act (ISG, AS 2022 232), which has been in force since 1 May 2022, and has submitted a proposal for revision for consultation, in which a reporting obligation for cyber attacks is envisaged. We have recorded our opinion and suggestions for improving the implementation of this reporting obligation in a submission during the consultation process, which you can view here (the submission is in german).